Professional Documents
Culture Documents
Lesson 8 Identifying and Assessing The ROMM
Lesson 8 Identifying and Assessing The ROMM
1. Concept of Risk
Auditing is accompanied by risk. From the reason why there is a need for audit, the
conduct of audit, up to the end of audit, risk is involved.
Risk - the possibility that something unpleasant or unwelcome will happen.
Information risk – risk that the information is misstated or misleading.
Engagement risk (auditor’s business risks) – risk such financial loss, loss from litigation,
adverse publicity, or other events arising in connection with the audit of financial statements (or
other engagement).
Business risk – A risk resulting from significant conditions, events, circumstances, actions or
inactions that could adversely affect an entity’s ability to achieve its objectives and execute its
strategies, or from the setting of inappropriate objectives and strategies.
Audit risk—Audit risk is the risk that the auditor gives an inappropriate audit opinion when the
financial statements are materially misstated. Audit risk has three components: inherent risk,
control risk and detection risk. Inherent risk and control risk are the risk of material misstatement
at the assertion level.
2. Audit Risk Model
Audit risk model is a model that expresses the general relationship of the components of
audit risk in mathematical terms to arrive at an acceptable level of detection risk. It is a tool used by
an auditor to determine the proper response to assessed risks of material misstatement at the
assertion level. It is expressed in the formula:
𝐴𝑢𝑑𝑖𝑡 𝑅𝑖𝑠𝑘 = 𝐼𝑛ℎ𝑒𝑟𝑒𝑛𝑡 𝑅𝑖𝑠𝑘 𝑥 𝐶𝑜𝑛𝑡𝑟𝑜𝑙 𝑅𝑖𝑠𝑘 𝑥 𝐷𝑒𝑡𝑒𝑐𝑡𝑖𝑜𝑛 𝑅𝑖𝑠𝑘
𝐴𝑢𝑑𝑖𝑡 𝑅𝑖𝑠𝑘
Or, 𝐷𝑒𝑡𝑒𝑐𝑡𝑖𝑜𝑛 𝑅𝑖𝑠𝑘 = 𝑅𝑂𝑀𝑀 (𝐼𝑛ℎ𝑒𝑟𝑒𝑛𝑡 𝑅𝑖𝑠𝑘 𝑥 𝐶𝑜𝑛𝑡𝑟𝑜𝑙 𝑅𝑖𝑠𝑘)
Audit risk—Audit risk is the risk that the auditor gives an inappropriate audit opinion
when the financial statements are materially misstated. Audit risk has three components: inherent
risk, control risk and detection risk.
Inherent risk—Inherent risk is the susceptibility of an account balance or class of
transactions to misstatement that could be material, individually or when aggregated with
misstatements in other balances of classes, assuming that there were no related internal controls.
Control risk—Control risk is the risk that a misstatement that could occur in an account
balance or class of transactions and that could be material, individually or when aggregated with
misstatements in other balances or classes, will not be prevented or detected and corrected on a
timely basis by the accounting and internal control systems. It is a function of the effectiveness
of the design, implementation and maintenance of internal control by management to address
identified risks that threaten the achievement of the entity’s objectives relevant to preparation of
the entity’s financial statements.
The risks of material misstatement at the assertion level consist of two components:
inherent risk and control risk. Inherent risk and control risk are the entity’s risks; they exist
independently of the audit of the financial statements.
Detection risk—Detection risk is the risk that an auditor’s substantive procedures will
not detect a misstatement that exists in an account balance or class of transactions that could be
material, individually or when aggregated with misstatements in other balances or classes. It
relates to the nature, timing, and extent of the auditor’s procedures that are determined by the
auditor to reduce audit risk to an acceptably low level. It is therefore a function of the
effectiveness of an audit procedure and of its application by the auditor. Matters such as:
• adequate planning;
• proper assignment of personnel to the engagement team;
• the application of professional skepticism; and
• supervision and review of the audit work performed,
assist to enhance the effectiveness of an audit procedure and of its application and reduce the
possibility that an auditor might select an inappropriate audit procedure, misapply an appropriate
audit procedure, or misinterpret the audit results.
For a given level of audit risk, the acceptable level of detection risk bears an inverse
relationship to the assessed risks of material misstatement at the assertion level. For example, the
greater the risks of material misstatement the auditor believes exists, the less the detection risk
that can be accepted and, accordingly, the more persuasive the audit evidence required by the
auditor.
3. Identifying and Assessing the Risk of Material Misstatement
The auditor shall identify and assess the risks of material misstatement at:
a. The financial statement level; and
b. The assertion level for classes of transactions, account balances, and disclosures, to
provide a basis for designing and performing further audit procedures.
Assessment of Risks of Material Misstatement at the F/S Level
Risks of material misstatement at the financial statement level refer to risks that
relate pervasively to the financial statements as a whole and potentially affect many
assertions. Risks of this nature are not necessarily risks identifiable with specific
assertions at the class of transactions, account balance, or disclosure level. Rather, they
represent circumstances that may increase the risks of material misstatement at the
assertion level, for example, through management override of internal control. Financial
statement level risks may be especially relevant to the auditor’s consideration of the risks
of material misstatement arising from fraud.
Risks at the financial statement level may derive in particular from a weak control
environment (although these risks may also relate to other factors, such as declining
economic conditions). For example, weaknesses such as management’s lack of
competence may have a more pervasive effect on the financial statements and may
require an overall response by the auditor.
The auditor’s understanding of internal control may raise doubts about the
auditability of an entity’s financial statements. For example:
• Concerns about the integrity of the entity’s management may be so serious as to
cause the auditor to conclude that the risk of management misrepresentation in the
financial statements is such that an audit cannot be conducted.
• Concerns about the condition and reliability of an entity’s records may cause the
auditor to conclude that it is unlikely that sufficient appropriate audit evidence
will be available to support an unqualified opinion on the financial statements.
Assessment of Risks of Material Misstatement at the Assertion Level
or account balances, the characteristics of which often permit highly automated processing with
little or no manual intervention. In such cases, the entity’s controls over such risks are relevant to
the audit and the auditor shall obtain an understanding of them.
Risks of material misstatement may relate directly to the recording of routine classes of
transactions or account balances, and the preparation of reliable financial statements. Such risks
may include risks of inaccurate or incomplete processing for routine and significant classes of
transactions such as an entity’s revenue, purchases, and cash receipts or cash payments.
Where such routine business transactions are subject to highly automated processing with
little or no manual intervention, it may not be possible to perform only substantive procedures in
relation to the risk. For example, the auditor may consider this to be the case in circumstances
where a significant amount of an entity’s information is initiated, recorded, processed, or
reported only in electronic form such as in an integrated system. In such cases:
• Audit evidence may be available only in electronic form, and its sufficiency and
appropriateness usually depend on the effectiveness of controls over its accuracy and
completeness.
• The potential for improper initiation or alteration of information to occur and not be
detected may be greater if appropriate controls are not operating effectively.
7. Revision of Risk Assessment
The auditor’s assessment of the risks of material misstatement at the assertion level may
change during the course of the audit as additional audit evidence is obtained. In circumstances
where the auditor obtains audit evidence from performing further audit procedures, or if new
information is obtained, either of which is inconsistent with the audit evidence on which the
auditor originally based the assessment, the auditor shall revise the assessment and modify the
further planned audit procedures accordingly.
During the audit, information may come to the auditor’s attention that differs
significantly from the information on which the risk assessment was based. For example, the risk
assessment may be based on an expectation that certain controls are operating effectively. In
performing tests of those controls, the auditor may obtain audit evidence that they were not
operating effectively at relevant times during the audit. Similarly, in performing substantive
procedures the auditor may detect misstatements in amounts or frequency greater than is
consistent with the auditor’s risk assessments. In such circumstances, the risk assessment may
not appropriately reflect the true circumstances of the entity and the further planned audit
procedures may not be effective in detecting material misstatements.